How Strengthening Security Can Weaken Security

We all know that if you ask people to choose incredibly complex passwords which frequently change, they will write them down on a Post-It note*.

I've recently discovered another way in which increasing perceived security reduces actual security.

On one of my Android phones, I use pattern unlock. If I want access to my phone, I have to draw a squiggly gesture in order to get in. It's like a handwritten signature rather than a complex password**.

It's easier for people to use subconscious tools - like muscle memory - to remember security details.

The swiping gesture (even in multiple directions) is quicker than repeatedly tapping at the screen in order to enter a PIN or password.

Because it's quick for me to pass security, I'm happy to let my phone auto-lock after a minute. To get back in, I wake the phone and quickly draw a pattern.

This means that if I leave my phone unattended, or if it is stolen from me, the security measures will activate in 60 seconds.

That, to me, seems pretty secure. Not perfect, but good enough.

A previous employer - who shall remain nameless - required me to use a specific tool on my Android phone. The tool required me to set a password of 6 characters. I could no longer use a pattern, or even a short PIN. I must have a 6 character PIN.

There are two security drawbacks.

Firstly, the pattern lock takes place on a 3 * 3 grid. Patterns can be fairly complex and even longer that the 6 digits requested of the PIN.
I could have a complex pattern - or my PIN could be 123456.

Secondly, it's much less convenient. This means I will find a way to bypass it. Now, I can't disable the security requirement to enter a PIN - but I can make it come up less frequently.

As I mentioned, my Android was set to lock after a minute of inactivity. That can now be set to lock after 10 minutes of inactivity. Hey presto, there's now a 10 minute window of opportunity to access my device, rather than 60 seconds.

So, I went from a secure pattern which activated a minute after I put it down, to a PIN of 123456 which doesn't kick in for ten minutes.

Which is more secure?

* Whether that is secure or not is left as an excersise to the reader.
** Grease-mark identification not withstanding.